Infected Linux web servers pushing malware

One blog of ESET says that the number of affected web-servers is in hundreds and not in thousands. That suggests that maybe this attack isn't using some software vulnerability to get access. The use of sophisticated command channels and stealhy techniques suggest that the attack might propagate itself through legitimate administration connections by stolen passwords/keys and/or a trojaned Putty/SSH. Maybe someone were busy and successful in scanning and collecting .ssh/id_rsa keys from GitHub a while ago. Maybe the recent attack to kernel.org has ramifications here. Maybe this thing takes advantage of the decreasing number of Windows admins, who aren't used to check PuTTY's package and repository, where they get it for connecting to and commanding Linux servers.

Just my 2 pennies.